[go: up one dir, main page]

CN1691582A - Method for implementing compatibility between WAPI protocol and 802.1X protocol - Google Patents

Method for implementing compatibility between WAPI protocol and 802.1X protocol Download PDF

Info

Publication number
CN1691582A
CN1691582A CN 200410034904 CN200410034904A CN1691582A CN 1691582 A CN1691582 A CN 1691582A CN 200410034904 CN200410034904 CN 200410034904 CN 200410034904 A CN200410034904 A CN 200410034904A CN 1691582 A CN1691582 A CN 1691582A
Authority
CN
China
Prior art keywords
wapi
authentication
sta
protocol
eap
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200410034904
Other languages
Chinese (zh)
Other versions
CN100527668C (en
Inventor
陈殿福
姚忠辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2004100349042A priority Critical patent/CN100527668C/en
Publication of CN1691582A publication Critical patent/CN1691582A/en
Application granted granted Critical
Publication of CN100527668C publication Critical patent/CN100527668C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种实现WAPI协议与802.1X协议兼容的方法,以解决非WAPI的终端站点不能接入支持WAPI的无线局域网的问题。该方法为:支持WAPI协议和802.1X协议的无线入点(AP)向终端站点(STA)发送鉴别激活消息;AP判断STA是否支持WAPI协议,如果是,AP与STA之间按WAPI规定的流程进行鉴权,否则,AP与STA之间终止WAPI鉴别尝试,并按802.1X规定的流程进行鉴权。

Figure 200410034904

The invention discloses a method for realizing the compatibility between the WAPI protocol and the 802.1X protocol, so as to solve the problem that non-WAPI terminal stations cannot access the wireless local area network supporting WAPI. The method is: a wireless access point (AP) supporting the WAPI protocol and the 802.1X protocol sends an authentication activation message to the terminal station (STA); the AP judges whether the STA supports the WAPI protocol, and if so, the procedure specified by WAPI between the AP and the STA Perform authentication, otherwise, terminate the WAPI authentication attempt between the AP and the STA, and perform authentication according to the procedures specified in 802.1X.

Figure 200410034904

Description

实现WAPI协议与802.1X协议兼容的方法The Method of Compatibility Between WAPI Protocol and 802.1X Protocol

技术领域technical field

本发明涉及无线局域网技术,尤其涉及一种实现WAPI协议与802.1X协议兼容的方法。The invention relates to wireless local area network technology, in particular to a method for realizing compatibility between WAPI protocol and 802.1X protocol.

背景技术Background technique

无线局域网(WLAN)主要用于传输因特网协议(IP)分组数据包,即接入点(AP)提供用户终端的无线接入,然后通过网络控制器和连接设备完成IP包的传输。Wireless local area network (WLAN) is mainly used to transmit Internet Protocol (IP) packet data packets, that is, access point (AP) provides wireless access for user terminals, and then completes the transmission of IP packets through network controllers and connecting devices.

无线局域网包括多种不同技术,目前应用较为广泛的一个技术标准是IEEE802.11b,它采用2.4GHz频段,最高数据传输速率可达11Mbps。使用该频段的还有IEEE 802.11g和蓝牙(Bluetooth)技术,其中,802.11g最高数据传输速率可达54Mbps。其它新技术诸如IEEE 802.11a和ETSI BRAN Hiperlan2都使用5GHz频段,最高传输速率也可达到54Mbps。WLAN includes a variety of different technologies. Currently, a widely used technical standard is IEEE802.11b, which uses the 2.4GHz frequency band and has a maximum data transmission rate of up to 11Mbps. Also using this frequency band are IEEE 802.11g and Bluetooth (Bluetooth) technology, among which, the highest data transmission rate of 802.11g can reach 54Mbps. Other new technologies such as IEEE 802.11a and ETSI BRAN Hiperlan2 use the 5GHz frequency band, and the highest transmission rate can reach 54Mbps.

随着WLAN技术的兴起和发展,WLAN与各种无线移动通信网,诸如:GSM、码分多址(CDMA)系统、宽带码分多址(WCDMA)系统、时分双工_同步码分多址(TD-SCDMA)系统和CDMA2000系统的互通正成为当前研究的重点。对于WLAN用户接入3GPP/3GPP2网络,第三代合作伙伴计划(3GPP)和第三代合作伙伴计划2(3GPP2)标准化组织正在进行相关工作。With the rise and development of WLAN technology, WLAN and various wireless mobile communication networks, such as: GSM, code division multiple access (CDMA) system, wideband code division multiple access (WCDMA) system, time division duplex_synchronous code division multiple access The intercommunication between (TD-SCDMA) system and CDMA2000 system is becoming the focus of current research. For WLAN users to access the 3GPP/3GPP2 network, the third generation partnership project (3GPP) and the third generation partnership project 2 (3GPP2) standardization organizations are doing related work.

3GPP组织确定了采用EAP-SIM(扩展认证协议-签约用户标识模块)或EAP-AKA(扩展认证协议-认证和密钥协商)机制实现WLAN网络和3GPP网络的接入互通。The 3GPP organization has determined that the EAP-SIM (Extended Authentication Protocol-Subscriber Identity Module) or EAP-AKA (Extended Authentication Protocol-Authentication and Key Agreement) mechanism is used to realize the access interworking between the WLAN network and the 3GPP network.

对于WLAN-3GPP2网络的接入互通,EAP-AKA,EAP-CAVE等机制正在讨论中。For the access interworking of WLAN-3GPP2 network, mechanisms such as EAP-AKA and EAP-CAVE are under discussion.

上述方法均采用基于3GPP/3GPP2现有接入认证机制的基础上实现WLAN-3GPP/3GPP2网络的互通。The above methods all adopt the existing access authentication mechanism of 3GPP/3GPP2 to realize the intercommunication of WLAN-3GPP/3GPP2 network.

中国目前制定了WLAN网络接入安全规范,即基于无线局域网鉴别与保密基础结构(WAPI)体制的接入认证机制。对于WAPI机制与802.11i(802.11i是基于802.1X的)网络的兼容,尤其是支持WAPI的AP如何兼容不同类型的STA,目前是个新问题。China has currently formulated a WLAN network access security specification, namely an access authentication mechanism based on the Wireless Local Area Network Authentication and Privacy Infrastructure (WAPI) system. Compatibility between the WAPI mechanism and the 802.11i (802.11i is based on 802.1X) network, especially how an AP supporting WAPI is compatible with different types of STAs is currently a new issue.

WAPI由无线局域网鉴别基础结构(WAI)和无线局域网保密基础结构(WPI)组成。WAI完成认证功能,WPI提供空口加密功能。WAPI机制采用公钥密码技术实现客户的身份鉴别。鉴别服务单元(ASU)为每个用户分配公钥证书。WAPI consists of Wireless LAN Authentication Infrastructure (WAI) and Wireless LAN Privacy Infrastructure (WPI). WAI completes the authentication function, and WPI provides the air interface encryption function. The WAPI mechanism uses public key cryptography to authenticate customers. The Authentication Service Unit (ASU) distributes public key certificates to each user.

公钥认证的格式如下: 公钥证书版本号 证书的序列号 证书颁发者采用的签名算法 证书颁发者名称 证书颁发者的公钥信息 证书的有效期 证书持有者名称 证书持有者的公钥信息 证书类型 保留字段 证书颁发者对证书的签名 The format of public key authentication is as follows: Public key certificate version number serial number of the certificate The signature algorithm used by the certificate issuer certificate issuer name Public key information of the certificate issuer The validity period of the certificate certificate holder name Public key information of the certificate holder certificate type reserved text The certificate issuer's signature on the certificate

表中部分字段的含义如下:The meanings of some fields in the table are as follows:

证书的序列号:每个由ASU颁发的公钥证书都需要分配一个唯一的号码。Serial number of the certificate: Each public key certificate issued by ASU needs to be assigned a unique number.

证书颁发者采用的签名算法:指定了证书颁发者所采用的签名算法,包括签名算法名称、签名长度与签名者采用的公钥长度。Signature algorithm used by the certificate issuer: specifies the signature algorithm used by the certificate issuer, including the name of the signature algorithm, signature length, and the length of the public key used by the signer.

证书的颁发者名称指定颁发者的身份。The certificate's issuer name specifies the identity of the issuer.

证书持有者名称指定证书持有者的身份。The certificate holder name specifies the identity of the certificate holder.

证书类型:表示证书持有者的设备类型,即WLAN的终端站点(STA),AP或ASU。Certificate type: Indicates the device type of the certificate holder, that is, WLAN terminal station (STA), AP or ASU.

证书颁发者对证书的签名:该字段由证书颁发者对该证书上的所有字段项进行签名得到。Certificate issuer's signature on the certificate: This field is obtained by the certificate issuer signing all field items on the certificate.

WAI的具体过程如图1所示:The specific process of WAI is shown in Figure 1:

(1)AP给WLAN终端(此处指STA)发送鉴别激活消息。(1) The AP sends an authentication activation message to the WLAN terminal (here referred to as the STA).

(2)WLAN终端接收到鉴别激活消息后,将WLAN客户端的公钥证书通过接入鉴别请求消息发送给AP。(2) After receiving the authentication activation message, the WLAN terminal sends the public key certificate of the WLAN client to the AP through an access authentication request message.

(3)AP接收到WLAN客户端发送来的接入鉴别请求消息后,提取出WLAN客户端的证书,并将其连同AP自身的公钥证书、AP的签名封装在证书鉴别请求消息中,发送给ASU。(3) After the AP receives the access authentication request message sent by the WLAN client, it extracts the certificate of the WLAN client, and encapsulates it together with the public key certificate of the AP itself and the signature of the AP in the certificate authentication request message, and sends it to ASU.

(4)ASU接收到证书鉴别请求消息后,验证AP的签名和AP证书的有效性,若不正确,则鉴别过程失败;否则,进一步验证WLAN客户端的证书。(4) After receiving the certificate authentication request message, the ASU verifies the signature of the AP and the validity of the AP certificate. If it is incorrect, the authentication process fails; otherwise, further verifies the certificate of the WLAN client.

(5)ASU将WLAN客户端证书鉴别结果、AP证书鉴别结果和ASU的签名构成证书鉴别响应消息发送给AP。(5) The ASU sends the WLAN client certificate verification result, the AP certificate verification result and the signature of the ASU to form a certificate verification response message to the AP.

(6)AP对ASU返回的证书鉴别响应进行签名验证,得到WLAN客户端的鉴别结果,根据此结果对WLAN客户端进行接入控制(即当WLAN客户端鉴别成功时,允许WLAN客户端接入;否则,拒绝该WLAN客户端接入)。同时,AP将证书鉴别响应发送到WLAN客户端,WLAN客户端验证ASU的签名,得到AP的鉴别结果,根据该结果确定是否接入AP(即当AP鉴别成功时,该WLAN客户端可以接入AP;否则,该WLAN客户端不从该AP接入)。(6) The AP performs signature verification on the certificate authentication response returned by the ASU, obtains the authentication result of the WLAN client, and performs access control on the WLAN client according to the result (that is, when the WLAN client authentication is successful, the WLAN client is allowed to access; Otherwise, reject the WLAN client to access). At the same time, the AP sends the certificate authentication response to the WLAN client, and the WLAN client verifies the signature of the ASU to obtain the authentication result of the AP. AP; otherwise, the WLAN client does not access from the AP).

(7)WLAN客户端和AP进行密钥协商,得到用于空口加密的密钥。(7) The WLAN client negotiates with the AP to obtain the key used for air interface encryption.

WLAN客户端的WLAN网络接入认证采用WAI机制,在此情况下,ASU给每个WLAN客户颁发公钥数字证书,WLAN客户端采用公钥证书标识自身。当WLAN客户端通过WAI认证后,即可以访问Internet网络或其它专有网络,WLAN客户端在接入WLAN时,空中接口采用WPI机制进行加密,以保护WLAN网络的通信安全。WLAN network access authentication of WLAN clients uses the WAI mechanism. In this case, the ASU issues a public key digital certificate to each WLAN client, and the WLAN client uses the public key certificate to identify itself. After the WLAN client passes the WAI authentication, it can access the Internet or other private networks. When the WLAN client accesses the WLAN, the air interface is encrypted using the WPI mechanism to protect the communication security of the WLAN network.

对于不支持WAPI的STA,例如从其它国家漫游到中国的WLAN用户,其终端不支持也无法识别WAPI消息,当STA与AP之间建立关联关系后,支持WAPI的AP还是要下发一个“鉴别激活”消息,此时就无法进行进一步的鉴别和加密协商了,导致终端无法接入到WAPI网络。For STAs that do not support WAPI, such as WLAN users roaming from other countries to China, their terminals do not support and cannot recognize WAPI messages. Activate" message, at this time, further authentication and encryption negotiation cannot be performed, resulting in the terminal being unable to access the WAPI network.

WLAN如同目前的GSM/CDMA网络一样,如果进行运营,必须支持漫游,满足国内及海外用户的接入需求。当WLAN必须采用WAI认证体制时,如何兼容非WAPI的STA,是目前急待解决的问题。Like the current GSM/CDMA network, WLAN must support roaming to meet the access needs of domestic and overseas users if it is operated. When WLAN must adopt the WAI authentication system, how to be compatible with non-WAPI STAs is an urgent problem to be solved at present.

发明内容Contents of the invention

本发明提供一种实现WAPI协议与802.1X协议兼容的方法,以解决非WAPI的终端站点不能接入支持WAPI的无线局域网的问题。The invention provides a method for realizing the compatibility between the WAPI protocol and the 802.1X protocol, so as to solve the problem that non-WAPI terminal stations cannot access the WLAN supporting WAPI.

为解决上述问题,本发明提供以下技术方案:In order to solve the above problems, the present invention provides the following technical solutions:

一种实现WAPI协议与802.1X协议兼容的方法,该方法包括步骤:A method for realizing compatibility between WAPI protocol and 802.1X protocol, the method comprises steps:

支持WAPI协议和802.1X协议的无线入点(AP)向终端站点(STA)发送鉴别激活消息;The wireless access point (AP) supporting the WAPI protocol and the 802.1X protocol sends an authentication activation message to the terminal station (STA);

AP判断STA是否支持WAPI协议,如果是,AP与STA按WAPI规定的流程进行鉴权,否则,AP与STA之间终止WAPI鉴别尝试,并按802.1X规定的流程进行鉴权。The AP judges whether the STA supports the WAPI protocol. If yes, the AP and the STA perform authentication according to the procedure specified by WAPI. Otherwise, the AP and the STA terminate the WAPI authentication attempt and perform authentication according to the procedure specified by 802.1X.

根据上述方法:According to the method above:

当STA判断本端无法识别收到的鉴别激活消息时,主动向AP发送启动EAP鉴别流程的消息,AP根据该消息判断STA不支持WAPI协议。When the STA judges that the local end cannot recognize the received authentication activation message, it actively sends a message to the AP to start the EAP authentication process, and the AP judges that the STA does not support the WAPI protocol based on the message.

当AP在发送鉴别激活消息达到预定次数时仍未收到STA的WAPI响应消息,则判断该STA不支持WAPI协议,并主动向STA发送EAP请求消息启动EAP流程;当AP向STA发送开始EAP鉴别流程达到预定次数仍未收到STA的响应,则终止流程并拒绝接入。When the AP has not received the WAPI response message from the STA when sending authentication activation messages for a predetermined number of times, it judges that the STA does not support the WAPI protocol, and actively sends an EAP request message to the STA to start the EAP process; when the AP sends a start EAP authentication message to the STA If the process reaches the predetermined number of times and still does not receive a response from the STA, the process is terminated and the access is rejected.

AP与STA在鉴权流程中生成密钥和协商出加密算法。During the authentication process, the AP and STA generate keys and negotiate encryption algorithms.

在按802.1X规定的流程鉴权过程中还承载基于EAP的其他鉴别流程;所述其他鉴别流程包括WLAN与GSM/WCDMA融合协议的EAP-SIM和EAP-AKA流程。In the process authentication process specified by 802.1X, other authentication processes based on EAP are also carried; the other authentication processes include the EAP-SIM and EAP-AKA processes of the WLAN and GSM/WCDMA fusion protocol.

本发明通过增强AP的智能处理能力,具有对STA的能力识别功能,并根据STA能力进行相应的认证与加密流程,从而方便各种类型的用户的接入。By enhancing the intelligent processing capability of the AP, the present invention has a capability identification function for STAs, and performs corresponding authentication and encryption processes according to the capabilities of the STAs, thereby facilitating the access of various types of users.

采用本发明,在中国强制实施WAPI标准和网络全面升级后,如果国内的老用户没有来得及升级终端,也可以接入网络。By adopting the present invention, after the WAPI standard is enforced in China and the network is fully upgraded, if domestic old users do not have time to upgrade their terminals, they can also access the network.

对于国外的漫游用户,按现有的WAPI方式无法实现国际漫游,采用本发明则可以帮助运营商解决WAPI如何支持国际漫游的问题,从而实现收取国际漫游用户的网络使用费。For foreign roaming users, international roaming cannot be realized according to the existing WAPI method, and the present invention can help operators solve the problem of how WAPI supports international roaming, so as to realize the collection of network usage fees for international roaming users.

附图说明Description of drawings

图1为现有技术中支持WAPI的终端站点接入鉴别流程图;Fig. 1 is a flow chart of terminal station access identification supporting WAPI in the prior art;

图2为本发明实施例一的增强型AP的状态机示意图;FIG. 2 is a schematic diagram of a state machine of an enhanced AP according to Embodiment 1 of the present invention;

图3为本发明实施例一的终端站点接入鉴别流程图;FIG. 3 is a flow chart of terminal site access authentication in Embodiment 1 of the present invention;

图4为EAP-SIM认证流程图;Figure 4 is a flow chart of EAP-SIM authentication;

图5为EAP-AKA认证流程图;Figure 5 is a flow chart of EAP-AKA authentication;

图6为本发明实施例二的增强型AP的状态机示意图;FIG. 6 is a schematic diagram of a state machine of an enhanced AP according to Embodiment 2 of the present invention;

图7为本发明实施例二的终端站点接入鉴别流程图。FIG. 7 is a flow chart of terminal site access authentication in Embodiment 2 of the present invention.

具体实施方式Detailed ways

在中国强制实施无线局域网鉴别和保密基础结构(WAPI)标准后,如果无线局域网(WLAN)中的所有无线接入点(AP)都升级支持WAPI,则现有的大量终端站点(STA)为了接入WAPI网络,也必须升级支持WAPI,对于没有来得升级或者从国外漫游过来的STA,则无法接入WAPI网络。After China enforces the Wireless Local Area Network Authentication and Privacy Infrastructure (WAPI) standard, if all wireless access points (APs) in the wireless local area network (WLAN) are upgraded to support WAPI, a large number of existing terminal stations (STAs) will To access the WAPI network, it must also be upgraded to support WAPI. For STAs that have not upgraded or roamed from abroad, they cannot access the WAPI network.

本发明在AP中增加自动识别STA的办法,通过消息内容判断STA是否支持WAPI,如果AP下发WAPI消息给STA后,没有得到WAPI消息响应,而且收到的是802.1X消息,则由此确定该STA不支持WAPI,但可以支持802.1X,于是启动802.1X鉴别与加密流程。The present invention adds a method for automatically identifying STAs in the AP, and judges whether the STA supports WAPI through the content of the message. If the AP sends a WAPI message to the STA, it does not receive a WAPI message response, and it receives an 802.1X message. The STA does not support WAPI, but can support 802.1X, so the 802.1X authentication and encryption process is started.

在STA不支持WAPI功能时,STA与AP之间进行802.1X鉴别流程可以由STA主动发起,也可以由AP主动发起。以下对这两种方式分别进行说明。When the STA does not support the WAPI function, the 802.1X authentication process between the STA and the AP can be initiated by the STA or the AP. These two methods will be described separately below.

如图2所求,在AP协议处理状态机中增加一个处理分支来增强AP的功能(增加部分见框内),使AP除了支持WAPI,同时还支持802.1X(802.1X是IEEE制定的一种安全协议,目前802.11i就是基于802.1X的。)。对于支持WAPI的终端站点(STA)在接入时走正常的WAPI鉴别和加密流程,对于不支持WAPI的STA,则根据默认配置主动启动802.1X的鉴别流程。As shown in Figure 2, add a processing branch in the AP protocol processing state machine to enhance the function of the AP (see the box for the added part), so that the AP not only supports WAPI, but also supports 802.1X (802.1X is a kind of protocol formulated by IEEE). Security protocol, currently 802.11i is based on 802.1X.). For terminal stations (STAs) that support WAPI, they go through the normal WAPI authentication and encryption process when they access, and for STAs that do not support WAPI, they actively start the 802.1X authentication process according to the default configuration.

参阅图3并结合图2所示,具体处理流程如下:Referring to Figure 3 and combined with Figure 2, the specific processing flow is as follows:

(1)STA与AP之间进行常规的协商,包括探询(Probe)、认证(Authentication)和关联(Association)三次握手过程。(1) Regular negotiation between STA and AP, including Probe, Authentication and Association three-way handshake process.

(2)建立关联后,支持WAPI功能的AP给ST发送鉴别激活消息。(2) After the association is established, the AP supporting the WAPI function sends an authentication activation message to the ST.

(3)WLAN终端(STA)接收到鉴别激活消息后,如果STA本身支持WAPI功能,则走正常的WAPI鉴别和加密过程(如图1所示)。(3) After the WLAN terminal (STA) receives the authentication activation message, if the STA itself supports the WAPI function, it will go through the normal WAPI authentication and encryption process (as shown in Figure 1).

(4)如果STA不支持WAPI,则无法识别鉴权激活消息。此时STA会根据默认配置启动802.1X过程,主动向AP发起启动EAP鉴别的EAPoL_Start(局域网承载EAP协议_开始)消息。(4) If the STA does not support WAPI, it cannot recognize the authentication activation message. At this time, the STA will start the 802.1X process according to the default configuration, and actively initiate an EAPoL_Start (EAP over LAN protocol_start) message to the AP to start EAP authentication.

(5)由于AP支持WAPI协议和802.1X协议,AP根据终端的EAPoL_Start消息,得知该STA不支持WAPI,从而开始按802.1X进行鉴权。(5) Since the AP supports the WAPI protocol and the 802.1X protocol, the AP learns that the STA does not support WAPI according to the EAPoL_Start message of the terminal, and thus starts to perform authentication according to 802.1X.

在按802.1X协议进行鉴权过程中如果生成密钥并协商了相应的加密算法,则在STA与AP之间启动加密(WEP、TKIP或者AES)。During the authentication process according to the 802.1X protocol, if a key is generated and a corresponding encryption algorithm is negotiated, encryption (WEP, TKIP or AES) is started between the STA and the AP.

根据3GPP/3GPP2定义的WLAN鉴权过程,在进行802.1X鉴权过程中还可以承载EAP-SIM、EAP-AKA流程。EAP-SIM、EAP-AKA流程为3GPP定义的WLAN与GSM/WCDMA融合的流程(具体参见3GPP协议TS 23.234)。EAP-SIM和EAP-AKA两个流程与本发明的接口点均为:EAP Request/Identity消息。According to the WLAN authentication process defined by 3GPP/3GPP2, EAP-SIM and EAP-AKA processes can also be carried during the 802.1X authentication process. The EAP-SIM and EAP-AKA processes are the integration processes of WLAN and GSM/WCDMA defined by 3GPP (see 3GPP protocol TS 23.234 for details). The interface points between EAP-SIM and EAP-AKA two processes and the present invention are: EAP Request/Identity message.

EAP-SIM流程是3GPP定义的WLAN与GSM/GPRS融合实现流程,通过802.1X承载SIM认证流程,从而实现用户通过SIM卡进行认证和计费的目的。在802.1X鉴权过程中承载EAP-SIM流程如图4所示(图4中的步骤1为STA与AP之间的三次握手过程)。The EAP-SIM process is the implementation process of WLAN and GSM/GPRS integration defined by 3GPP. The SIM authentication process is carried by 802.1X, so as to realize the purpose of user authentication and billing through the SIM card. The process of carrying EAP-SIM in the 802.1X authentication process is shown in Figure 4 (step 1 in Figure 4 is the three-way handshake process between the STA and the AP).

EAP-AKA流程是3GPP定义的一种流程,通过802.1X承载CAVE认证流程,从而实现用户通过USIM卡进行认证和计费的目的,如图5所示(图5中的步骤1为STA与AP之间的三次握手过程)。The EAP-AKA process is a process defined by 3GPP. The CAVE authentication process is carried by 802.1X, so as to realize the purpose of user authentication and billing through the USIM card, as shown in Figure 5 (step 1 in Figure 5 is STA and AP The three-way handshake process).

参阅图6所示,在AP协议处理状态机中对没有响应消息增加后续处理流程来增强AP的功能(增加部分见虚框内),使AP除了支持WAPI,同时还支持802.1X。当AP下发“鉴别激活”后直至认证超时都没有收到WAPI响应消息时,认为终端不支持WAPI,AP主动向STA下发一个EAP Request/Identity消息,尝试启动802.1X认证流程;如果收到STA的EAP响应消息,则AP与STA之间继续802.1X流程;如果收不到响应,且认证没有超时,则按规划重发;如果直至认证超时都没有得到响应,则终止流程,拒绝接入。Referring to Figure 6, in the AP protocol processing state machine, a follow-up processing flow is added to the non-response message to enhance the function of the AP (the added part is shown in the dashed box), so that the AP not only supports WAPI, but also supports 802.1X. When the AP sends "authentication activation" and does not receive a WAPI response message until the authentication times out, it considers that the terminal does not support WAPI, and the AP actively sends an EAP Request/Identity message to the STA to try to start the 802.1X authentication process; if received STA’s EAP response message, then continue the 802.1X process between the AP and the STA; if no response is received and the authentication has not timed out, it will be resent according to the plan; if no response is received until the authentication timeout, the process will be terminated and the access will be rejected .

参阅7所示,具体的流程如下:Refer to 7, the specific process is as follows:

(1)STA与AP之间进行常规的协商,包括Probe、Authentication和Association三次握手过程。(1) Regular negotiation between the STA and the AP, including the three-way handshake process of Probe, Authentication and Association.

(2)建立关联后,支持WAPI功能的AP给ST发送鉴别激活消息。(2) After the association is established, the AP supporting the WAPI function sends an authentication activation message to the ST.

(3)如果在规定的时间间隔内AP收到WAPI响应消息,则表明STA支持WAPI功能,则走正常的WAPI鉴别和加密过程(如图1所示)。(3) If the AP receives the WAPI response message within the specified time interval, it indicates that the STA supports the WAPI function, and then goes through the normal WAPI authentication and encryption process (as shown in Figure 1).

(4)如果AP侧一直得不到STA的回应消息,根据默认配置进行几次重发后仍得不到回应消息,则确定该STA不支持WAPI消息,终止WAPI流程,下发一条EAP Request/Identity消息给STA,开始按802.1X进行鉴权。(4) If the AP side has not received a response message from the STA, and still does not receive a response message after several retransmissions according to the default configuration, it is determined that the STA does not support WAPI messages, terminates the WAPI process, and sends an EAP Request/ Identity message to STA, start to authenticate according to 802.1X.

(5)如果后流程能够正常进行,则根据3GPP/3GPP2定义的WLAN鉴权过程,在进行802.1X鉴权过程中,EAP承载的协议包括EAP-SIM、EAP-AKA等流程。(5) If the latter process can be carried out normally, according to the WLAN authentication process defined by 3GPP/3GPP2, during the 802.1X authentication process, the protocol carried by EAP includes EAP-SIM, EAP-AKA and other processes.

802.1X进行鉴权过程中如果生成密钥并协商了相应的加密算法,则在STA与AP之间启动加密。During the 802.1X authentication process, if a key is generated and a corresponding encryption algorithm is negotiated, encryption is started between the STA and the AP.

(6)如果AP下发EAP Request/Identity消息后,仍得不STA的正常回应,则终止该认证流程,拒绝接入。(6) If after the AP sends the EAP Request/Identity message, there is still no normal response from the STA, then the authentication process is terminated and the access is refused.

本发明通过增强AP的智能处理能力,具有对STA的能力识别功能,并根据STA能力进行相应的认证与加密流程,从而方便各种类型的用户的接入。国内的老用户在网络全面升级后,如果没有来得及升级终端,也可以接入网络;国外的漫游用户,按WAPI方式无法实现国际漫游,此时如果AP具有智能处理功能,可以极大方便他们的接入与漫游。采用本发明运营商能够解决何支持国际漫游的问题,从而收取国际漫游用户的网络使用费。By enhancing the intelligent processing capability of the AP, the present invention has a capability identification function for STAs, and performs corresponding authentication and encryption processes according to the capabilities of the STAs, thereby facilitating the access of various types of users. After the network is fully upgraded, old domestic users can still access the network if they have not had time to upgrade their terminals; foreign roaming users cannot achieve international roaming according to the WAPI method. At this time, if the AP has intelligent processing functions, it can greatly facilitate them. access and roaming. By adopting the invention, the operator can solve the problem of how to support international roaming, thereby charging the network usage fee of the international roaming user.

Claims (7)

1、一种实现WAPI协议与802.1X协议兼容的方法,其特征在于该方法包括步骤:1, a kind of method that realizes WAPI agreement and 802.1X agreement compatibility, it is characterized in that the method comprises steps: 支持WAPI协议和802.1X协议的无线入点(AP)向终端站点(STA)发送鉴别激活消息;The wireless access point (AP) supporting the WAPI protocol and the 802.1X protocol sends an authentication activation message to the terminal station (STA); AP判断STA是否支持WAPI协议,如果是,AP与STA之间按WAPI规定的流程进行鉴权,否则,AP与STA之间终止WAPI鉴别尝试,并按802.1X规定的流程进行鉴权。The AP judges whether the STA supports the WAPI protocol. If so, the AP and the STA perform authentication according to the procedure specified by WAPI. Otherwise, the AP and the STA terminate the WAPI authentication attempt and perform authentication according to the procedure specified by 802.1X. 2、如权利1要求所述的方法,其特征在于,当STA判断本端无法识别收到的鉴别激活消息时,主动向AP发送启动EAP鉴别流程的消息,AP根据该消息判断STA不支持WAPI协议。2. The method as claimed in claim 1, wherein when the STA judges that the local end cannot recognize the received authentication activation message, it actively sends a message to the AP to start the EAP authentication process, and the AP judges that the STA does not support WAPI according to the message protocol. 3、如权利1要求所述的方法,其特征在于,当AP在发送鉴别激活消息达到预定次数时仍未收到STA的WAPI响应消息,则判断该STA不支持WAPI协议,并主动向STA发送EAP请求消息,启动EAP流程。3. The method as claimed in claim 1, characterized in that, when the AP has not received the STA's WAPI response message when it has sent the authentication activation message for a predetermined number of times, it judges that the STA does not support the WAPI protocol, and actively sends a message to the STA. EAP request message to start the EAP process. 4、如权利3要求所述的方法,其特征在于,当AP向STA发送开始EAP鉴别流程达到预定次数仍未收到STA的响应,则终止流程并拒绝接入。4. The method as claimed in claim 3, wherein when the AP sends a response to the STA to start the EAP authentication process for a predetermined number of times and has not received a response from the STA, the process is terminated and the access is refused. 5、如权利要求1至3任一项所述的方法,其特征在于,AP与STA在鉴权流程中生成密钥和协商出加密算法。5. The method according to any one of claims 1 to 3, wherein the AP and the STA generate a key and negotiate an encryption algorithm during the authentication process. 6、如权利5所述的方法,其特征在于,在按802.1X规定的流程鉴权过程中还承载基于EAP的其他鉴别流程。6. The method according to claim 5, characterized in that other authentication processes based on EAP are carried during the process authentication process specified by 802.1X. 7、如权利5要求所述的方法,其特征在于,所述其他鉴别流程包括WLAN与GSM/WCDMA融合协议的EAP-SIM和EAP-AKA流程。7. The method according to claim 5, wherein the other authentication procedures include EAP-SIM and EAP-AKA procedures of the WLAN and GSM/WCDMA fusion protocol.
CNB2004100349042A 2004-04-24 2004-04-24 Method for implementing compatibility between WAPI protocol and 802.1X protocol Expired - Fee Related CN100527668C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100349042A CN100527668C (en) 2004-04-24 2004-04-24 Method for implementing compatibility between WAPI protocol and 802.1X protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100349042A CN100527668C (en) 2004-04-24 2004-04-24 Method for implementing compatibility between WAPI protocol and 802.1X protocol

Publications (2)

Publication Number Publication Date
CN1691582A true CN1691582A (en) 2005-11-02
CN100527668C CN100527668C (en) 2009-08-12

Family

ID=35346744

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100349042A Expired - Fee Related CN100527668C (en) 2004-04-24 2004-04-24 Method for implementing compatibility between WAPI protocol and 802.1X protocol

Country Status (1)

Country Link
CN (1) CN100527668C (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007098692A1 (en) * 2006-02-28 2007-09-07 China Iwncomm Co., Ltd. An apparatus for testing the protocol conformance of the security accessing of network terminal and the method thereof
CN100388664C (en) * 2005-12-16 2008-05-14 西安电子科技大学 Access method for realizing WLAN multi-mode security authentication
CN101335621A (en) * 2007-06-26 2008-12-31 中国科学院声学研究所 A 802.11i Key Management Method
WO2010096997A1 (en) * 2009-02-27 2010-09-02 西安西电捷通无线网络通信股份有限公司 Method for implementing a convergent wireless local area network (wlan) authentication and privacy infrastructure (wapi) network architecture in a local mac mode
CN1805441B (en) * 2005-11-23 2011-01-05 西安电子科技大学 Integrated WLAN authentication architecture and method of implementing structural layers
CN101969639A (en) * 2010-10-19 2011-02-09 广州杰赛科技股份有限公司 Multi-certificate and multi-certification mode combined access authentication method and system
CN101325606B (en) * 2007-06-15 2011-12-21 夏普株式会社 Communications device, and communications method
CN101730097B (en) * 2009-11-18 2012-10-10 中兴通讯股份有限公司 Method and system for accessing wireless terminal to wireless network
CN103987039A (en) * 2013-02-07 2014-08-13 华为终端有限公司 Processing method and equipment for WPS negotiation access
US8813199B2 (en) 2009-02-27 2014-08-19 China Iwncomm Co., Ltd. Method for realizing convergent WAPI network architecture with separate MAC mode
US8855018B2 (en) 2009-02-27 2014-10-07 China Iwncomm Co., Ltd. Method for realizing convergent WAPI network architecture with split MAC mode

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805441B (en) * 2005-11-23 2011-01-05 西安电子科技大学 Integrated WLAN authentication architecture and method of implementing structural layers
CN100388664C (en) * 2005-12-16 2008-05-14 西安电子科技大学 Access method for realizing WLAN multi-mode security authentication
WO2007098692A1 (en) * 2006-02-28 2007-09-07 China Iwncomm Co., Ltd. An apparatus for testing the protocol conformance of the security accessing of network terminal and the method thereof
CN101325606B (en) * 2007-06-15 2011-12-21 夏普株式会社 Communications device, and communications method
CN101335621A (en) * 2007-06-26 2008-12-31 中国科学院声学研究所 A 802.11i Key Management Method
WO2010096997A1 (en) * 2009-02-27 2010-09-02 西安西电捷通无线网络通信股份有限公司 Method for implementing a convergent wireless local area network (wlan) authentication and privacy infrastructure (wapi) network architecture in a local mac mode
US8813199B2 (en) 2009-02-27 2014-08-19 China Iwncomm Co., Ltd. Method for realizing convergent WAPI network architecture with separate MAC mode
US8855018B2 (en) 2009-02-27 2014-10-07 China Iwncomm Co., Ltd. Method for realizing convergent WAPI network architecture with split MAC mode
US9015331B2 (en) 2009-02-27 2015-04-21 China Iwncomm Co., Ltd. Method for implementing a convergent wireless local area network (WLAN) authentication and privacy infrastructure (WAPI) network architecture in a local MAC mode
CN101730097B (en) * 2009-11-18 2012-10-10 中兴通讯股份有限公司 Method and system for accessing wireless terminal to wireless network
CN101969639A (en) * 2010-10-19 2011-02-09 广州杰赛科技股份有限公司 Multi-certificate and multi-certification mode combined access authentication method and system
CN101969639B (en) * 2010-10-19 2013-02-06 广州杰赛科技股份有限公司 Multi-certificate and multi-certification mode combined access authentication method and system
CN103987039A (en) * 2013-02-07 2014-08-13 华为终端有限公司 Processing method and equipment for WPS negotiation access
CN103987039B (en) * 2013-02-07 2017-11-28 华为终端有限公司 WPS consults the processing method and equipment of access

Also Published As

Publication number Publication date
CN100527668C (en) 2009-08-12

Similar Documents

Publication Publication Date Title
CN1186906C (en) Wireless LAN safety connecting-in control method
CN1265607C (en) Method for building up service tunnel in wireless local area network
CN102204307B (en) WLAN authentication method and device based on MAC address
EP2445143B1 (en) Method and system for accessing a 3rd generation network
CN1842000A (en) Method for realizing access authentication of WLAN
CN1720688A (en) Key generation in a communication system
CN1674497A (en) Certification method for WLAN terminal switching in mobile network
CN1549482A (en) A Method for Realizing High-Rate Packet Data Service Authentication
CN1274181C (en) Method for managing local terminal equipment accessing network
CN1549526A (en) A method for realizing wireless local area network authentication
CN1848994A (en) Method for realizing right discrimination of microwave cut-in global interoperating system
JP2008547270A (en) System selection and acquisition for WWAN and WLAN systems
CN1813457A (en) Apparatus and method for a single sign-on authentication through a non-trusted access network
CN1662092A (en) Access authentication method and equipment in data packet network at high speed
CN102595405A (en) Authentication method, system and equipment for network access
CN1601958A (en) HRPD network access authentication method based on CAVE algorithm
CN1610319A (en) Analytic switch-in processing method for selecting business in radio local area network
CN1567868A (en) Authentication method based on Ethernet authentication system
CN1691582A (en) Method for implementing compatibility between WAPI protocol and 802.1X protocol
CN1277368C (en) Interactive method for reselecting operation network for radio local net user terminal
CN1681239A (en) Method for supporting multiple safe mechanism in wireless local network system
CN1697370A (en) Method for mobile terminal in WLAN to apply for certificate
CN100459536C (en) Method and network for WLAN session control
CN100579042C (en) Method and device for supporting multiple logical networks in wireless local area network
CN1327648C (en) Method for realizing high-srate grouped data business identification

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090812

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090812